If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Digital Dogs Tut

The Digital Watch Dogs

Provided By Anatra.
Copyright Anatra 2003

Within the nets the systems of survey of the intrusions (the Intrusion detection Systems) is the second line of a system of defense or rather those can be considered that immediately come after the Firewalls and that they are often confused with these last ones. This probably happens since the normal consumer of internet often uses some very simple softwares that often understand both the functions (IDS and Firewall). The distinction mainly consists in this: the function of the firewalls is mainly the filtration of the packets on particular criterions established by the consumer (in base to the IP of origin, to the door of destination, to the type of packet etc. ). The function of the IDS is instead that to warn, as far as possible, the system administrator of situations of anomalous use of the net that could prelude to an attempt of entry not authorized or that they point out an access unfortunately happened already. We make an example that an usual situation describes and that it will subsequently clarify the ideas: you imagine to manage a server active web on the door 80. Naturally your firewall in this case has to make to pass all the applications addressed to that door because we imagine that your site is public and therefore turned to everybody and from all askable. how forehead can you be done therefore to turned attacks on the door 80 that the known bugs exploit or less known of your server web? here it enters game the IDS, that should be able to distinguish among a legitimate application and an anomalous. naturally in the case in which the application is of this type: "GET /.. /.. /.. / etc/password", it is simple to understand to see youyrself an attempt of attack, therefore an IDS should normally stop such application and to warn somehow (inside email, window pop-up, sms etc.) the system administrator.
Going down more in the detail we can distinguish two categories of IDS.

Network Based Intrusion Detection Systems

These systems found it on the monitoring of the packets that cross a whole under-net. their principle of operation is identical entirely to that of the sniffers or rather they uses the card of net in promiscuous formality to do so that the whole traffic of the under-net is elaborate from the system and that is not unloaded by the software of the card of net (what the MACs manage adress) the non direct packets to the same system.
The progenitors of the Network Based Ids were not anything else other than the analysers of packets (or sniffer that to tell it wants) as for instance the Microsoft Network Monitor. Naturally these applications required in every way the intervention of the man for the study of the sniffed traffic so they made a timely Intrusion Detection prohibitive. The following applications also working equally they possess functions of recognition of the activity of net before the all nonexistent ones.
me for instance rhyming you to the specifications of the products of the ISS (Internet Security Systems) as Real Secure (http://www.iss.net/products_services...ise_protection /) or of the NFR (http://nfr.net). I make you notice that in this case we speak both software that of hardware.

Host Based Intrusion Detection Systems

It reenters in this category the network analyzers that however don't use the card in promiscuous formality, and therefore they effect only the monitoring of the direct traffic to the machine on which they are installed, and the hosts monitor or rather those applications that actively check anomalies that happen inside the system, as for example non usual operations on the file system (the copy of a file of the passwords and similar) or they check everything operates him of the consumer administrator or still possible attempts of connection on non active doors etc.
To finish the picture of the IDSs I quote for completeness the Kernel Based Intrusion Detection Systems, implementable exclusively on the systems open source. Among these I quote the LIDS (Linux Intrusion Detection System http://www.lids.org) that it is able to armor the machines linux to level of kernel, for example preventing that the consumer root can install sniffer.
We see some simple IDSs for Windows that can be used for the protection of your own PC now.

BlackICE

The BlackIce is an IDS of the internet Security Systems. You can find the version of test on http://www.downloads.com. the version Full costs around 40 dollars. during the installation, the program creates a list of the files application installed on your machine. the operation has required since 7 to the 20 minutes, in base to the performances of your machine and the number of present applications. once finished the installation it is added an icon with the eye in low and to the right. the interface of use is very simple 4 mený to descent and three briefcases. In the first gimmicks I list it of the meaningful events verified it. As in all the events logger that respects it that of BlackIce allows to apply some filters in base to four levels of gravity of the event: informative, suspicious, serious, critical. to give you a term of comparison I say that a port scan on your machine is interpreted as suspicious event or the shut down of the same BlackIce as critical event. As quite a lot home IDS currently in circulation BlackIce is endowed with an integrated firewall whose window of configuration is from the mený tools. Rules of filtration can be inserted in base to the IP of origin, to the door of destination and the type of packet (IP,TCP,UDP) and it is possible to establish besides that the rule has a certain duration in the time. other interesting characteristic is the possibility to recall I list it some applications that it has been created during the installation and to decide to stop an application or a single bookstore, inclusive some that belongs to the operating system, or to exclusively limit the communications toward the outside. if you start an application it doesn't foresee in list BlackIce it will warn and it will ask you if you want to continue the execution or no. in the central briefcase of the program, that related to the intruders, their data are visualized: Ip of origin, the MAC Adress of the card of net, the name of the NetBIOS with which the PC is identified etc in its inside net. the last window is devoted to the graphs to give you an immediate picture of the situation. last annotation: through the mený of the formulations of BlackIce ricalldable always from the mený tools is possible to plan the criterions of the control of the applications and their communications with the outside, as well as the formality in which the logs are recorded (also on file or only on event loggers) and the level of protection of the integrated firewall.

The other personal IDSs

Always remaining within the personal IDS I signal the Tiger Guard Personal IDS (http://www.tigertools.net). Also deriving from a society that it doesn't have the same coat of arms of the ISS this product it is very valid however and it has a good relationship quality / price. (20 $). In comparison to the BlackIce it is also deprive of a control on the applications when they act in local. this however it is a peculiar characteristic of the BlackIce in the sense that the most greater part of the personal IDSs check only the applications if they try to access Internet and therefore not always. to forehead of this lack however TigerGuard has an integrated sniffer and the possibility to simulate a Honeypot Server. It succeeds besides in recognizing and to stop a big number of attacks (flood, DoS etc.) I signal besides you Norton Internet Security of Symantec (www.Symantec.com) and personal Firewall of McAfee (www.mcafee.com).

The future of the IDSs

The usual realization best IDS has a primary interest within the computer safety. In a future in which more and more critical " applications " are put online (I report particularly me to the imminent reforms on the e - Goverment) the timely individualization of attempts of intrusion or real intrusions is important with the purpose to avoid or to limit the damages. As for quite a lot other circles of the planning it is already trying to apply the algorithms to the IDSs typical of the Artificial intelligence, making therefore the future IDSs able to learn from the attempts of intrusion suffered for succeeding in recognizing attempts of intrusion that are not inclusive in the casuistry in its possession. To cloths respect I signal to the bravest a document of Jeremy Frank of the Department of Computer Science of the University of California entitled " Artificial Intelligence and Intrusion Detection: current and Future Directions " available to the I address: http://citeseer.nj.nec.com/frank94artificial.html